On December 7th Defense Undersecretary for Acquisition Ellen Lord announced that suppliers will only be required to update their System Security Plan (SSP) and Plan of Action (POA) by December 31, 2017. The SSP must identify those provisions that have not been fully implemented and the POA must lay out the schedule by which each provision will become fully compliant.

The DoD has not set a deadline by which all elements of NIST 800.171 must be in full compliance.